Real-Time Audit Trail

thane logs every security-relevant event in real time. See file accesses, command executions, network connections, and detected secrets or PII — with severity-based filtering and JSON export for compliance.

Security Event Logging

Every sandbox violation, file access outside allowed paths, and blocked syscall is logged with timestamps, severity, and context.

PII & Secret Detection

thane scans Claude Code's terminal output for patterns matching API keys, passwords, AWS credentials, and personal information — flagging them in the audit trail.

Severity-Based Filtering

Filter audit entries by severity: info, warning, or critical. Focus on what matters or see the full event stream for thorough review.

JSON Export

Export the audit trail as structured JSON for compliance reporting, integration with SIEM tools, or post-incident analysis.

How it works

The audit system hooks into thane's sandbox enforcement layer. When Landlock blocks a file access or seccomp blocks a syscall, the event is captured with full context: what was attempted, which workspace and terminal it came from, the timestamp, and the enforcement action taken.

PII and secret detection runs on terminal output using pattern matching for common credential formats: AWS access keys, GitHub tokens, private keys, email addresses, and more. Matches are flagged in the audit trail with configurable sensitivity — you control whether the policy is to warn, redact, or block.

The audit panel in thane's sidebar shows events in real time, with color-coded severity indicators. Click any entry to see full details. The JSON export includes every field, making it easy to feed into your existing security monitoring tools or attach to compliance reports.

Use cases

Security monitoring

Watch in real time as Claude Code works, seeing every file access and command execution. Immediately spot suspicious behavior or policy violations.

Compliance reporting

Export audit trails as JSON to prove that Claude Code operated within defined boundaries — required for SOC 2, HIPAA, or internal security policies.

Post-incident analysis

When something goes wrong, the audit trail provides a complete record of what Claude Code did, when, and what was blocked — enabling rapid root cause analysis.

Related features

Kernel-Level Sandboxing

Landlock + seccomp isolation for Claude Code

Cost & Token Tracking

Per-model pricing, live token counters

Agent Queue

Headless task scheduling with priority ordering

Ready to try thane?

Free for personal use. Kernel-level sandboxing, split panes, embedded browser, and a 41-method API — all on your machine.

Download thane freeSee all features